000013555 - Configuring two RSA Authentication Manager 8.x user IDs to share a single SecurID token

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Nov 30, 2017
Version 7Show Document
  • View in full screen mode

Article Content

Article Number000013555
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition:  8.x
 
IssueThere are times when one user will have more than one account in the external identity source used with Authentication Manager.  For example, an Active Directory regular user account (jguillette) and a second AD admin account (AdminGuill).  
By default, if one of these user IDs has a token assigned to it and one does not, one or more of the following errors will show in the authentication activity monitor if the user ID without the token assigned tries to authenticate to an agent using native SecurID protocol:
  • Principal does not possess one or more authenticators
  • No aliases found, unable to resolve principal by alias
  • Unable to resolve principal by login ID and/or alias
  • Unable to resolve login by user id and/or alias, or authenticator not assigned to user
  • This user ID is already in use by an unresolvable user in this realm
If the agent is a RADIUS client, nothing may show in the authentication activity monitor or in authentication reports, but the /opt/rsa/am/radius/<date>.log file may have a generic entry such as:
 
Unable to find user <user ID> with matching password

This article explains how these two user IDs can share a single SecurID token in Authentication Manager and be able to login with either account on a protected authentication agent.
CauseIt is possible that if the two LDAP user accounts exist in the same external identity source, Authentication Manager may find the real account with no token assigned rather than the alias for the real account that has a token assigned.
ResolutionIn the following example,
Prerequisite:
If no user groups exist,
  1. Create an internal group or use an external LDAP group.  From the Security Console select Identity > User Groups > Add New
  2. Add both the jguillette and AdminGuill user IDs to this group.
You will need to have a user group to assign to the user before continuing  If authentication is through a RADIUS client, also create a RADIUS profile.
  1. Login to the Security Console.
  2. Navigate to Identity > Users > Manage Existing.
  3. Set the Search Criteria for Identity Source to IS1 where User ID contains jguillette.
  4. In the User ID column, click on Jay's user ID and from the menu choose Authentication Settings.
  5. In the Authentication Settings section,
    1. For the option of User Authenticates With, select Only the following aliases.
    2. Select a user group from the list.
    3. In the User ID field, add the logon alias of AdminGuill.  
    4. If authenticating with RADIUS, be sure to add a RADIUS profile value.
    5. Click Add.
    6. Click Save when done.
  6. Go back to Identity > Users > Manage Existing.
  7. Set the Search Criteria for Identity Source to IS2 where User ID contains AdminGuill
  8. In the User ID column, click on Jay's user ID and from the menu choose Authentication Settings.
  9. In the Authentication Settings section,
    1. For the option of User Authenticates With, select Default User ID, or any of the following aliases.  See screenshot below
    2. Select a user group from the list.
    3. In the User ID field, add the logon alias for jguillette, e.g. AdminGuill.  
    4. If authenticating with RADIUS, be sure to add a RADIUS profile value.
    5. Click Add.
    6. Click Save down at the bottom of the page when done.
Alias
  1. Navigate to Access > Authentication Agents > Manage Existing.
  2. Depending on the agent, click the Restricted or Unrestricted tab.
  3. Use the search fields to find the agent to which you want to enable logon aliases.
  4. Select the checkbox next to the agent to which you want to enable logon aliases.
  5. Do one of the following:
    • For restricted agents, select Grant Access to User Groups from the Action Menu and click Go.
    • For unrestricted agents, select Enable Logon Aliases from the Action Menu and click Go.
  6. Use the search fields o find the user groups to which you want to enable logon aliases.
  7. Select the checkbox next to the user group to which you want to enable logon aliases.
  8. Do one of the following:
    • For restricted agents, click Grant Access to User Groups.
    • For unrestricted agents, select Enable Logon Aliases with User Groups.
  9. Test authentication as both jguillette and as AdminGuill using the same token.  When testing, be sure to wait for the tokencode to roll to the next one before the second authentication so you don't get a passcode reuse attack error in the authentication activity monitor.
NotesRSA strongly recommends that you do not allow users to share the same token. It is a poor security practice as it negates non-repudiation. However, allowing the same person with two different Windows Accounts to use the same token with either account does not negate non-repudiation and therefore that Use Case is legitimate and the reason this KB was written.
In order to do this, you must make Authentication Manager believe there is only one account (with an alias) it, therefore, goes without saying that the Authentication Manager feature of Windows Password Integration will be unaware that there are two accounts, and will only maintain a single Windows password for both if you enable Windows Password Integration.  You will either need to disable this feature for this user or have the user manually maintain the same password in AD for both accounts.
Legacy Article IDa63738

Attachments

    Outcomes